Week in review: Android Oreo security, hacking robots, DDoS attacks on the rise

Here’s an overview of some of last week’s most interesting news, podcasts and articles:

Judge limits DOJ’s search of anti-Trump website data
On Thursday, District of Columbia Superior Court Judge Robert Morin ruled that DreamHost must comply with the narrowed warrant, but has further limited the government’s access to the asked-for data, in order to limit exposure of sensitive user information.

Review: Securing the Internet of Things
The authors do a good job explaining the current situation regarding the Internet of Things.

Android Oreo: What’s new on the security front
Google released the long-awaited Android 8.0 Oreo in an unveiling that coincided with the total solar eclipse visible in much of the US. The newest version of the OS contains many new features and behavior changes, as well as many security improvements and security-related changes.

Learning from success: Brian Honan’s infosec journey
Like many industry veterans who are near his age, Brian Honan fell into information security more out of chance than by following a pre-determined career path.

Third party trackers on web shops can identify users behind Bitcoin transactions
More and more shopping Web sites accept cryptocurrencies as a method of payment, but users should be aware that these transactions can be used to deanonymize them – even if they are using blockchain anonymity techniques such as CoinJoin.

Another Ukrainian software maker’s site compromised to spread malware
The web server of Crystal Finance Millennium, a Ukraine-based accounting software firm, has been compromised and made to host different types of malware.

Google pulls 500+ backdoored apps from Google Play
Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins.

Gaming the system for a better experience
Dwayne Melancon, VP of Product at iovation, think that, in the future, user experience design (UX) will become an increasingly important part of the security team.

Here we go again: DDoS attacks on the rise!
Newly released data shows that DDoS and web application attacks are on the rise once again, according to Akamai’s Second Quarter, 2017 State of the Internet / Security Report. Contributing to this rise was the PBot DDoS malware which re-emerged as the foundation for the strongest DDoS attacks seen by Akamai this quarter.

A step toward practical quantum encryption over free-space networks
Researchers have sent a quantum-secured message containing more than one bit of information per photon through the air above a city.

Living in an Assume Breach world
A hack-proof security architecture is an unusable security architecture. There are always trade-offs and to do anything useful, we need to open ourselves up to risk.

Hacked robots can be a deadly insider threat
IOActive researchers have probed the security of a number of humanoid home and business robots as well industrial collaborative robots, and have found it seriously wanting.

Hackers stole over $500,000 from Enigma cryptocurrency investors
The attack unfolded on Monday (August 21), but the company noticed that something was happening the day before, and posted a warning on Twitter.

Researchers devise app to protect PINs and passwords
Every ATM or smartphone user can attest to the discomfort of having a stranger standing close enough to observe a financial transaction — and potentially note a PIN or account number. Now researchers at the NYU Tandon School of Engineering have announced an application to combat such “shoulder-surfing,” whether in person or via a building’s video camera.

Understanding the dark web and how it factors into cybersecurity
In this podcast recorded at Black Hat USA 2017, Eric Olson, VP of Intelligence Operations at LookingGlass Cyber Solutions, talks about the dark net and how it factors into cyber security.

Global DMARC adoption still slow, it’s open season for phishers
92 percent of U.S. Fortune 500 companies have left their customers, partners and brand names vulnerable to domain name spoofing, one of the most common digital deception attack vectors.

Network forensics tool NetworkMiner 2.2 released
NetworkMiner is a popular network forensics tool that can parse pcap files as well as perform live sniffing of network traffic. It collects data about hosts on the network rather than to collect data regarding the traffic on the network.

Hacking smartphones with malicious replacement parts
Smartphone users can now add a new entry to the list of things they need to worry about: their phones being compromised via replacement parts.

Why you need to implement security controls across your environment
In this podcast recorded at Black Hat USA 2017, Tim White, Director of Product Management, Policy Compliance at Qualys, discusses the importance of security configuration assessment as part of a comprehensive vulnerability management program, and why automating the configuration assessment and reporting of varied IT assets in a continuous manner is important to securing today’s organizations.

Doing things right: Cloud and SecOps adoption
There is hardly an organization out there that isn’t planning or hasn’t already taken advantage of the cloud. And, according to Threat Stack CTO Sam Bisbee, there is hardly a technology-oriented organization anywhere on the small-business to-enterprise spectrum that isn’t a good candidate for SecOps. But the use of these technologies has to be well thought out and implemented, to prevent it becoming, down the line, an operational problem or a way in for attackers.

What’s needed for the first NYS DFS cybersecurity transitional phase?
The first transitional phase of the New York State’s Department of Financial Services (NYS DFS) cybersecurity regulation is upon us. As of August 28th, 2017 covered entities are required to be in compliance with the first phase of the 23 NYCRR Part 500 standard.

Sqrrl empowers threat hunters with self-service analytics
Today, analysts must either have advanced data science skills to build hunting algorithms that detect suspicious cyber behaviors or rely on blackbox vendor tools that package rigid algorithms. Sqrrl Enterprise 2.8 introduces the ability for analysts to easily create new hunting analytics without writing any code or having any data science skills.

New infosec products of the week​: August 25, 2017
A rundown of infosec products released last week.